2011-04-07 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
script-src should block inline script
https://bugs.webkit.org/show_bug.cgi?id=58012
Test that script-src blocks inline script. This test uses a different
approach than the existing tests for variety.
* http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/inline-script-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/document-write-alert-fail.js: Added.
* http/tests/security/contentSecurityPolicy/resources/dump-as-text.js: Added.
2011-04-07 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
script-src should block inline script
https://bugs.webkit.org/show_bug.cgi?id=58012
Block inline scripts at the ScriptElement layer. This should catch
exactly the scripts we want to catch.
Test: http/tests/security/contentSecurityPolicy/inline-script-blocked.html
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv):
- This patch also adds the ability to supply a CSP policy via a
<meta> tag. We'll update the name of the header once we've
finished implementing the spec.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::executeScript):
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowInlineScript):
* page/ContentSecurityPolicy.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83159 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index 9a07bb8..5dd6b7d 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -257,6 +257,9 @@
if (sourceCode.isEmpty())
return;
+ if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript())
+ return;
+
RefPtr<Document> document = m_element->document();
ASSERT(document);
if (Frame* frame = document->frame()) {
